@mbc-cqrs-serverless/core 1.2.7-beta.0 → 1.3.1

package/README.md

@@ -215,6 +215,43 @@ export class TodoDataSyncHandler implements IDataSyncHandler {
 }
 ```
 
+## Group-based roles
+
+`RolesGuard` checks direct roles from JWT `custom:roles` first, then roles from groups in `custom:groups` (tenant-scoped). Group → role mappings are **not** stored in the JWT; implement a resolver in your app.
+
+**JWT example:**
+
+```json
+{
+  "custom:roles": "[{\"tenant\":\"tenant-a\",\"role\":\"admin\"}]",
+  "custom:groups": "[{\"tenant\":\"tenant-a\",\"groups\":[\"sales-team\"]}]"
+}
+```
+
+**Resolver (one per app):**
+
+```typescript
+import {
+  GroupRoleResolver,
+  IGroupRoleResolver,
+} from '@mbc-cqrs-serverless/core';
+
+// Do not add @Injectable() — @GroupRoleResolver() already registers the provider.
+@GroupRoleResolver()
+export class AppGroupRoleResolver implements IGroupRoleResolver {
+  async resolveRoles({ tenantCode, groupIds, claims }) {
+    // Load roles from DynamoDB, RDS, config, etc.
+    return ['viewer', 'reporter'];
+  }
+}
+```
+
+Register the class in your NestJS module `providers`. `AuthModule` is imported automatically via core `AppModule.forRoot()` and exports `GroupRoleResolverRegistry` globally for `@Auth()` / `RolesGuard`.
+
+### Extending authorization
+
+`RolesGuard` evaluates `tenantRoles` from the JWT (not `getUserRole()`). The protected `getUserRole()` method is **deprecated** and not called by the default guard. Subclasses should override `verifyRole` or `resolveGroupRoles` for custom logic.
+
 ## Environment Variables
 
 | Variable | Description | Default |

package/dist/app.module.js

@@ -13,6 +13,7 @@ const core_1 = require("@nestjs/core");
 const app_controller_1 = require("./app.controller");
 const app_module_definition_1 = require("./app.module-definition");
 const app_service_1 = require("./app.service");
+const auth_1 = require("./auth");
 const data_sync_module_1 = require("./command-events/data-sync.module");
 const data_store_module_1 = require("./data-store/data-store.module");
 const env_validation_1 = require("./env.validation");
@@ -64,6 +65,7 @@ exports.AppModule = AppModule;
 exports.AppModule = AppModule = __decorate([
     (0, common_1.Module)({
         imports: [
+            auth_1.AuthModule,
             notification_module_1.NotificationModule,
             data_store_module_1.DataStoreModule,
             data_sync_module_1.DataSyncModule,

package/dist/app.module.js.map

@@ -1 +1 @@
-{"version":3,"file":"app.module.js","sourceRoot":"","sources":["../src/app.module.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAAsD;AACtD,2CAA6C;AAC7C,uCAAmD;AAEnD,qDAAgD;AAChD,mEAA+E;AAC/E,+CAA0C;AAC1C,wEAAkE;AAClE,sEAAgE;AAChE,qDAAoD;AACpD,qCAAsC;AACtC,6EAAwE;AACxE,uDAAkD;AAClD,kEAA6D;AAC7D,2EAAqE;AAa9D,IAAM,SAAS,GAAf,MAAM,SAAU,SAAQ,+CAAuB;IACpD,MAAM,CAAC,OAAO,CAAC,OAA4B;QACzC,MAAM,uBAAuB,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,MAAM,CAAA;QAC5E,MAAM,OAAO,GAAW;YACtB;gBACE,IAAI,EAAE,KAAK;gBACX,MAAM,EAAE,OAAO,CAAC,UAAU;aAC3B;SACF,CAAA;QACD,iCAAiC;QACjC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,oBAAW;aACpB,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QACrC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAA;QAC3C,OAAO,CAAC,IAAI,CACV,qBAAY,CAAC,OAAO,CAAC;YACnB,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,IAAI;YACX,eAAe,EAAE,IAAI;YACrB,iBAAiB,EAAE;gBACjB,YAAY,EAAE,KAAK;gBACnB,UAAU,EAAE,IAAI;aACjB;YACD,QAAQ,EAAE,IAAA,kCAAiB,EAAC,OAAO,CAAC,MAAM,CAAC;SAC5C,CAAC,CACH,CAAA;QACD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;QAChC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,oBAAW,CAAC,CAAA;QAC3B,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,mBAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;QAE5C,OAAO;YACL,GAAG,MAAM;YACT,OAAO;SACR,CAAA;IACH,CAAC;CACF,CAAA;AA1CY,8BAAS;oBAAT,SAAS;IAXrB,IAAA,eAAM,EAAC;QACN,OAAO,EAAE;YACP,wCAAkB;YAClB,mCAAe;YACf,iCAAc;YACd,yCAAkB;YAClB,0BAAW;SACZ;QACD,WAAW,EAAE,CAAC,8BAAa,CAAC;QAC5B,SAAS,EAAE,CAAC,wBAAU,EAAE,kCAAe,CAAC;KACzC,CAAC;GACW,SAAS,CA0CrB"}
+{"version":3,"file":"app.module.js","sourceRoot":"","sources":["../src/app.module.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAAsD;AACtD,2CAA6C;AAC7C,uCAAmD;AAEnD,qDAAgD;AAChD,mEAA+E;AAC/E,+CAA0C;AAC1C,iCAAmC;AACnC,wEAAkE;AAClE,sEAAgE;AAChE,qDAAoD;AACpD,qCAAsC;AACtC,6EAAwE;AACxE,uDAAkD;AAClD,kEAA6D;AAC7D,2EAAqE;AAc9D,IAAM,SAAS,GAAf,MAAM,SAAU,SAAQ,+CAAuB;IACpD,MAAM,CAAC,OAAO,CAAC,OAA4B;QACzC,MAAM,uBAAuB,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,KAAK,MAAM,CAAA;QAC5E,MAAM,OAAO,GAAW;YACtB;gBACE,IAAI,EAAE,KAAK;gBACX,MAAM,EAAE,OAAO,CAAC,UAAU;aAC3B;SACF,CAAA;QACD,iCAAiC;QACjC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC;gBACX,IAAI,EAAE,OAAO;gBACb,MAAM,EAAE,oBAAW;aACpB,CAAC,CAAA;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QACrC,MAAM,OAAO,GAAG,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAA;QAC3C,OAAO,CAAC,IAAI,CACV,qBAAY,CAAC,OAAO,CAAC;YACnB,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,IAAI;YACX,eAAe,EAAE,IAAI;YACrB,iBAAiB,EAAE;gBACjB,YAAY,EAAE,KAAK;gBACnB,UAAU,EAAE,IAAI;aACjB;YACD,QAAQ,EAAE,IAAA,kCAAiB,EAAC,OAAO,CAAC,MAAM,CAAC;SAC5C,CAAC,CACH,CAAA;QACD,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;QAChC,IAAI,uBAAuB,EAAE,CAAC;YAC5B,OAAO,CAAC,IAAI,CAAC,oBAAW,CAAC,CAAA;QAC3B,CAAC;QACD,OAAO,CAAC,IAAI,CAAC,mBAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAA;QAE5C,OAAO;YACL,GAAG,MAAM;YACT,OAAO;SACR,CAAA;IACH,CAAC;CACF,CAAA;AA1CY,8BAAS;oBAAT,SAAS;IAZrB,IAAA,eAAM,EAAC;QACN,OAAO,EAAE;YACP,iBAAU;YACV,wCAAkB;YAClB,mCAAe;YACf,iCAAc;YACd,yCAAkB;YAClB,0BAAW;SACZ;QACD,WAAW,EAAE,CAAC,8BAAa,CAAC;QAC5B,SAAS,EAAE,CAAC,wBAAU,EAAE,kCAAe,CAAC;KACzC,CAAC;GACW,SAAS,CA0CrB"}

package/dist/auth/auth.module.d.ts

@@ -0,0 +1,2 @@
+export declare class AuthModule {
+}

package/dist/auth/auth.module.js

@@ -0,0 +1,30 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthModule = void 0;
+const common_1 = require("@nestjs/common");
+const roles_guard_1 = require("../guard/roles.guard");
+const explorer_service_1 = require("../services/explorer.service");
+const authz_bootstrap_service_1 = require("./authz-bootstrap.service");
+const group_role_resolver_registry_1 = require("./group-role-resolver.registry");
+let AuthModule = class AuthModule {
+};
+exports.AuthModule = AuthModule;
+exports.AuthModule = AuthModule = __decorate([
+    (0, common_1.Global)(),
+    (0, common_1.Module)({
+        providers: [
+            explorer_service_1.ExplorerService,
+            group_role_resolver_registry_1.GroupRoleResolverRegistry,
+            authz_bootstrap_service_1.AuthzBootstrapService,
+            roles_guard_1.RolesGuard,
+        ],
+        exports: [group_role_resolver_registry_1.GroupRoleResolverRegistry, roles_guard_1.RolesGuard, explorer_service_1.ExplorerService],
+    })
+], AuthModule);
+//# sourceMappingURL=auth.module.js.map

package/dist/auth/auth.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.module.js","sourceRoot":"","sources":["../../src/auth/auth.module.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAA+C;AAE/C,sDAAiD;AACjD,mEAA8D;AAC9D,uEAAiE;AACjE,iFAA0E;AAYnE,IAAM,UAAU,GAAhB,MAAM,UAAU;CAAG,CAAA;AAAb,gCAAU;qBAAV,UAAU;IAVtB,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC;QACN,SAAS,EAAE;YACT,kCAAe;YACf,wDAAyB;YACzB,+CAAqB;YACrB,wBAAU;SACX;QACD,OAAO,EAAE,CAAC,wDAAyB,EAAE,wBAAU,EAAE,kCAAe,CAAC;KAClE,CAAC;GACW,UAAU,CAAG"}

package/dist/auth/authz-bootstrap.service.d.ts

@@ -0,0 +1,11 @@
+import { OnApplicationBootstrap } from '@nestjs/common';
+import { ModuleRef } from '@nestjs/core';
+import { ExplorerService } from '../services/explorer.service';
+import { GroupRoleResolverRegistry } from './group-role-resolver.registry';
+export declare class AuthzBootstrapService implements OnApplicationBootstrap {
+    private readonly explorerService;
+    private readonly moduleRef;
+    private readonly registry;
+    constructor(explorerService: ExplorerService, moduleRef: ModuleRef, registry: GroupRoleResolverRegistry);
+    onApplicationBootstrap(): void;
+}

package/dist/auth/authz-bootstrap.service.js

@@ -0,0 +1,47 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthzBootstrapService = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const explorer_service_1 = require("../services/explorer.service");
+const group_role_resolver_registry_1 = require("./group-role-resolver.registry");
+let AuthzBootstrapService = class AuthzBootstrapService {
+    constructor(explorerService, moduleRef, registry) {
+        this.explorerService = explorerService;
+        this.moduleRef = moduleRef;
+        this.registry = registry;
+    }
+    onApplicationBootstrap() {
+        const types = this.explorerService.exploreGroupRoleResolvers();
+        if (types.length > 1) {
+            throw new Error('Only one @GroupRoleResolver() is allowed per application');
+        }
+        if (types.length === 0) {
+            return;
+        }
+        const instance = this.moduleRef.get(types[0], {
+            strict: false,
+        });
+        if (!instance) {
+            throw new Error(`GroupRoleResolver ${types[0].name} was discovered but could not be resolved from DI`);
+        }
+        this.registry.set(instance);
+    }
+};
+exports.AuthzBootstrapService = AuthzBootstrapService;
+exports.AuthzBootstrapService = AuthzBootstrapService = __decorate([
+    (0, common_1.Injectable)(),
+    __metadata("design:paramtypes", [explorer_service_1.ExplorerService,
+        core_1.ModuleRef,
+        group_role_resolver_registry_1.GroupRoleResolverRegistry])
+], AuthzBootstrapService);
+//# sourceMappingURL=authz-bootstrap.service.js.map

package/dist/auth/authz-bootstrap.service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"authz-bootstrap.service.js","sourceRoot":"","sources":["../../src/auth/authz-bootstrap.service.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAAmE;AACnE,uCAAwC;AAExC,mEAA8D;AAE9D,iFAA0E;AAGnE,IAAM,qBAAqB,GAA3B,MAAM,qBAAqB;IAChC,YACmB,eAAgC,EAChC,SAAoB,EACpB,QAAmC;QAFnC,oBAAe,GAAf,eAAe,CAAiB;QAChC,cAAS,GAAT,SAAS,CAAW;QACpB,aAAQ,GAAR,QAAQ,CAA2B;IACnD,CAAC;IAEJ,sBAAsB;QACpB,MAAM,KAAK,GAAG,IAAI,CAAC,eAAe,CAAC,yBAAyB,EAAE,CAAA;QAE9D,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CACb,0DAA0D,CAC3D,CAAA;QACH,CAAC;QAED,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAM;QACR,CAAC;QAED,MAAM,QAAQ,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAqB,KAAK,CAAC,CAAC,CAAC,EAAE;YAChE,MAAM,EAAE,KAAK;SACd,CAAC,CAAA;QAEF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CACb,qBAAqB,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,mDAAmD,CACtF,CAAA;QACH,CAAC;QAED,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IAC7B,CAAC;CACF,CAAA;AAhCY,sDAAqB;gCAArB,qBAAqB;IADjC,IAAA,mBAAU,GAAE;qCAGyB,kCAAe;QACrB,gBAAS;QACV,wDAAyB;GAJ3C,qBAAqB,CAgCjC"}

package/dist/auth/group-role-resolver.interface.d.ts

@@ -0,0 +1,13 @@
+import { JwtClaims } from '../context/invoke';
+export interface TenantGroupMembership {
+    tenant: string;
+    groups: string[];
+}
+export interface ResolveGroupRolesInput {
+    tenantCode: string;
+    groupIds: string[];
+    claims?: JwtClaims;
+}
+export interface IGroupRoleResolver {
+    resolveRoles(input: ResolveGroupRolesInput): Promise<string[]>;
+}

package/dist/auth/group-role-resolver.interface.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=group-role-resolver.interface.js.map

package/dist/auth/group-role-resolver.interface.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"group-role-resolver.interface.js","sourceRoot":"","sources":["../../src/auth/group-role-resolver.interface.ts"],"names":[],"mappings":""}

package/dist/auth/group-role-resolver.registry.d.ts

@@ -0,0 +1,6 @@
+import { IGroupRoleResolver } from './group-role-resolver.interface';
+export declare class GroupRoleResolverRegistry {
+    private resolver?;
+    set(resolver: IGroupRoleResolver): void;
+    get(): IGroupRoleResolver | undefined;
+}

package/dist/auth/group-role-resolver.registry.js

@@ -0,0 +1,26 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GroupRoleResolverRegistry = void 0;
+const common_1 = require("@nestjs/common");
+let GroupRoleResolverRegistry = class GroupRoleResolverRegistry {
+    set(resolver) {
+        if (this.resolver) {
+            throw new Error('Only one @GroupRoleResolver() is allowed per application');
+        }
+        this.resolver = resolver;
+    }
+    get() {
+        return this.resolver;
+    }
+};
+exports.GroupRoleResolverRegistry = GroupRoleResolverRegistry;
+exports.GroupRoleResolverRegistry = GroupRoleResolverRegistry = __decorate([
+    (0, common_1.Injectable)()
+], GroupRoleResolverRegistry);
+//# sourceMappingURL=group-role-resolver.registry.js.map

package/dist/auth/group-role-resolver.registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"group-role-resolver.registry.js","sourceRoot":"","sources":["../../src/auth/group-role-resolver.registry.ts"],"names":[],"mappings":";;;;;;;;;AAAA,2CAA2C;AAKpC,IAAM,yBAAyB,GAA/B,MAAM,yBAAyB;IAGpC,GAAG,CAAC,QAA4B;QAC9B,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CACb,0DAA0D,CAC3D,CAAA;QACH,CAAC;QACD,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAA;IAC1B,CAAC;IAED,GAAG;QACD,OAAO,IAAI,CAAC,QAAQ,CAAA;IACtB,CAAC;CACF,CAAA;AAfY,8DAAyB;oCAAzB,yBAAyB;IADrC,IAAA,mBAAU,GAAE;GACA,yBAAyB,CAerC"}

package/dist/auth/index.d.ts

@@ -0,0 +1,4 @@
+export * from './auth.module';
+export * from './authz-bootstrap.service';
+export * from './group-role-resolver.interface';
+export * from './group-role-resolver.registry';

package/dist/auth/index.js

@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./auth.module"), exports);
+__exportStar(require("./authz-bootstrap.service"), exports);
+__exportStar(require("./group-role-resolver.interface"), exports);
+__exportStar(require("./group-role-resolver.registry"), exports);
+//# sourceMappingURL=index.js.map

package/dist/auth/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,gDAA6B;AAC7B,4DAAyC;AACzC,kEAA+C;AAC/C,iEAA8C"}

package/dist/context/invoke.d.ts

@@ -15,6 +15,7 @@ export interface JwtClaims {
     name: string;
     'custom:tenant'?: string;
     'custom:roles'?: string;
+    'custom:groups'?: string;
     exp: number;
     email: string;
     email_verified?: boolean;

package/dist/context/invoke.js.map

@@ -1 +1 @@
-{"version":3,"file":"invoke.js","sourceRoot":"","sources":["../../src/context/invoke.ts"],"names":[],"mappings":";;AAiFA,oDAoDC;AAED,kDAsBC;AA7JD,sEAAgE;AAChE,2CAAwE;AAExE,2CAAsC;AAEtC,wCAA8C;AA4E9C,SAAgB,oBAAoB,CAAC,GAAsB;IACzD,IAAI,2BAAiB,EAAE,CAAC;QACtB,OAAO,IAAA,qCAAgB,GAAE,CAAA;IAC3B,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAW,CAAA;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAiC,CAAA;IACzD,IAAI,UAAU,GAAuB,SAAS,CAAA;IAC9C,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;IAC9C,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;YACxD,MAAM,MAAM,GAAG,IAAA,sBAAS,EAAY,KAAK,CAAC,CAAA;YAC1C,UAAU,GAAG;gBACX,GAAG,EAAE;oBACH,MAAM;oBACN,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC;iBAClC;aACF,CAAA;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,8BAAqB,CAC7B,0CAA0C,CAC3C,CAAA;QACH,CAAC;IACH,CAAC;IACD,OAAO;QACL,KAAK,EAAE;YACL,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,EAAE;YAC7C,OAAO,EAAE,OAAO,CAAC,WAAW;YAC5B,OAAO;YACP,cAAc,EAAE;gBACd,UAAU,EAAE,OAAO,CAAC,QAAQ;gBAC5B,IAAI,EAAE;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,EAAE;oBAClD,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;iBACrC;gBACD,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;gBACtC,UAAU;aACX;SACF;QACD,OAAO,EAAE;YACP,YAAY,EACV,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;SAC9B;KACF,CAAA;AACH,CAAC;AAED,SAAgB,mBAAmB,CAAC,GAAY;IAC9C,OAAO,CACL,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,IAAK,EAAgB,CACzE,CAAA;IACD,IAAI;IACJ,mDAAmD;IACnD,mDAAmD;IACnD,kCAAkC;IAClC,kCAAkC;IAClC,0DAA0D;IAC1D,wCAAwC;IACxC,wDAAwD;IACxD,uBAAuB;IACvB,6BAA6B;IAC7B,sBAAsB;IACtB,6BAA6B;IAC7B,qDAAqD;IACrD,uBAAuB;IACvB,+BAA+B;IAC/B,uBAAuB;IACvB,kDAAkD;IAClD,IAAI;AACN,CAAC"}
+{"version":3,"file":"invoke.js","sourceRoot":"","sources":["../../src/context/invoke.ts"],"names":[],"mappings":";;AAkFA,oDAoDC;AAED,kDAsBC;AA9JD,sEAAgE;AAChE,2CAAwE;AAExE,2CAAsC;AAEtC,wCAA8C;AA6E9C,SAAgB,oBAAoB,CAAC,GAAsB;IACzD,IAAI,2BAAiB,EAAE,CAAC;QACtB,OAAO,IAAA,qCAAgB,GAAE,CAAA;IAC3B,CAAC;IACD,IAAI,CAAC,GAAG,EAAE,CAAC;QACT,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,OAAO,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,UAAU,EAAW,CAAA;IACxD,MAAM,OAAO,GAAG,OAAO,CAAC,OAAiC,CAAA;IACzD,IAAI,UAAU,GAAuB,SAAS,CAAA;IAC9C,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAA;IAC9C,IAAI,SAAS,EAAE,CAAC;QACd,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,SAAS,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAA;YACxD,MAAM,MAAM,GAAG,IAAA,sBAAS,EAAY,KAAK,CAAC,CAAA;YAC1C,UAAU,GAAG;gBACX,GAAG,EAAE;oBACH,MAAM;oBACN,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,CAAC,GAAG,CAAC;iBAClC;aACF,CAAA;QACH,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,8BAAqB,CAC7B,0CAA0C,CAC3C,CAAA;QACH,CAAC;IACH,CAAC;IACD,OAAO;QACL,KAAK,EAAE;YACL,QAAQ,EAAE,GAAG,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,IAAI,EAAE;YAC7C,OAAO,EAAE,OAAO,CAAC,WAAW;YAC5B,OAAO;YACP,cAAc,EAAE;gBACd,UAAU,EAAE,OAAO,CAAC,QAAQ;gBAC5B,IAAI,EAAE;oBACJ,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,IAAI,EAAE,OAAO,CAAC,IAAI;oBAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,OAAO,CAAC,EAAE;oBAClD,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;iBACrC;gBACD,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;gBACtC,UAAU;aACX;SACF;QACD,OAAO,EAAE;YACP,YAAY,EACV,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC;gBAC1B,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;gBAC9B,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC;SAC9B;KACF,CAAA;AACH,CAAC;AAED,SAAgB,mBAAmB,CAAC,GAAY;IAC9C,OAAO,CACL,GAAG,EAAE,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,GAAG,EAAE,MAAM,IAAK,EAAgB,CACzE,CAAA;IACD,IAAI;IACJ,mDAAmD;IACnD,mDAAmD;IACnD,kCAAkC;IAClC,kCAAkC;IAClC,0DAA0D;IAC1D,wCAAwC;IACxC,wDAAwD;IACxD,uBAAuB;IACvB,6BAA6B;IAC7B,sBAAsB;IACtB,6BAA6B;IAC7B,qDAAqD;IACrD,uBAAuB;IACvB,+BAA+B;IAC/B,uBAAuB;IACvB,kDAAkD;IAClD,IAAI;AACN,CAAC"}

package/dist/context/user.d.ts

@@ -8,6 +8,10 @@ export declare class UserContext {
     userId: string;
     tenantRole: string;
     tenantCode: string;
+    /** Direct roles from custom:roles for the active tenant (excludes group-derived roles). */
+    tenantRoles: string[];
+    /** Group IDs from custom:groups for the active tenant. */
+    tenantGroupIds: string[];
     constructor(partial: Partial<UserContext>);
 }
 /**

package/dist/context/user.js

@@ -10,6 +10,52 @@ class UserContext {
     }
 }
 exports.UserContext = UserContext;
+function parseTenantGroups(raw, tenantCode) {
+    if (!tenantCode) {
+        return [];
+    }
+    let parsed;
+    try {
+        parsed = JSON.parse(raw || '[]');
+    }
+    catch {
+        return [];
+    }
+    if (!Array.isArray(parsed)) {
+        return [];
+    }
+    const memberships = parsed.map((membership) => ({
+        ...membership,
+        tenant: (membership.tenant || '').toLowerCase(),
+    }));
+    const match = memberships.find((membership) => membership.tenant === tenantCode);
+    const groups = match?.groups;
+    return Array.isArray(groups) ? groups : [];
+}
+function collectTenantRoles(roles, tenantCode) {
+    if (!tenantCode) {
+        return [];
+    }
+    const seen = new Set();
+    const result = [];
+    const add = (role) => {
+        if (!seen.has(role)) {
+            seen.add(role);
+            result.push(role);
+        }
+    };
+    for (const { tenant, role } of roles) {
+        if (tenant === tenantCode) {
+            add(role);
+        }
+    }
+    for (const { tenant, role } of roles) {
+        if (tenant === '') {
+            add(role);
+        }
+    }
+    return result;
+}
 /**
  * Extract user context from JWT claims and request headers.
  *
@@ -33,6 +79,8 @@ function getUserContext(ctx) {
     // 2. Otherwise, use header value (security check delegated to RolesGuard)
     // Note: tenantCode is normalized to lowercase for case-insensitive matching with role.tenant
     const tenantCode = (claims['custom:tenant'] || (ctx?.event?.headers || {})[constants_1.HEADER_TENANT_CODE])?.toLowerCase();
+    const tenantGroupIds = parseTenantGroups(claims['custom:groups'], tenantCode);
+    const tenantRoles = collectTenantRoles(roles, tenantCode);
     // Find tenantRole (case-insensitive matching - both tenantCode and role.tenant are lowercase)
     let tenantRole = '';
     for (const { tenant, role } of roles) {
@@ -47,6 +95,8 @@ function getUserContext(ctx) {
         userId,
         tenantRole,
         tenantCode,
+        tenantRoles,
+        tenantGroupIds,
     };
 }
 //# sourceMappingURL=user.js.map

package/dist/context/user.js.map

@@ -1 +1 @@
-{"version":3,"file":"user.js","sourceRoot":"","sources":["../../src/context/user.ts"],"names":[],"mappings":";;;AA8BA,wCAqCC;AAjED,4CAAiD;AACjD,qCAA6E;AAO7E,MAAa,WAAW;IAKtB,YAAY,OAA6B;QACvC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IAC9B,CAAC;CACF;AARD,kCAQC;AAED;;;;;;;;;GASG;AACH,SAAgB,cAAc,CAAC,GAA+B;IAC5D,IAAI,YAAY,IAAI,GAAG,EAAE,CAAC;QACxB,GAAG,GAAG,IAAA,6BAAoB,EAAC,GAAG,CAAC,CAAA;IACjC,CAAC;IACD,MAAM,MAAM,GAAG,IAAA,4BAAmB,EAAC,GAAG,CAAC,CAAA;IAEvC,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAA;IAEzB,cAAc;IACd,MAAM,KAAK,GACT,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,IAAI,CAC1C,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAA;IAEzE,wBAAwB;IACxB,oDAAoD;IACpD,0EAA0E;IAC1E,6FAA6F;IAC7F,MAAM,UAAU,GAAG,CACjB,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,8BAAkB,CAAC,CAC3E,EAAE,WAAW,EAAE,CAAA;IAEhB,8FAA8F;IAC9F,IAAI,UAAU,GAAG,EAAE,CAAA;IACnB,KAAK,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;QACrC,IAAI,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;YAC3C,UAAU,GAAG,IAAI,CAAA;YACjB,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;gBAClB,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM;QACN,UAAU;QACV,UAAU;KACX,CAAA;AACH,CAAC"}
+{"version":3,"file":"user.js","sourceRoot":"","sources":["../../src/context/user.ts"],"names":[],"mappings":";;;AA8FA,wCA0CC;AArID,4CAAiD;AACjD,qCAA6E;AAO7E,MAAa,WAAW;IAStB,YAAY,OAA6B;QACvC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;IAC9B,CAAC;CACF;AAZD,kCAYC;AAED,SAAS,iBAAiB,CACxB,GAAuB,EACvB,UAA8B;IAE9B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAI,MAAe,CAAA;IACnB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,CAAA;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAA;IACX,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,OAAO,EAAE,CAAA;IACX,CAAC;IAED,MAAM,WAAW,GAAI,MAAkC,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;QAC3E,GAAG,UAAU;QACb,MAAM,EAAE,CAAC,UAAU,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;KAChD,CAAC,CAAC,CAAA;IAEH,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,CAC5B,CAAC,UAAU,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,KAAK,UAAU,CACjD,CAAA;IACD,MAAM,MAAM,GAAG,KAAK,EAAE,MAAM,CAAA;IAC5B,OAAO,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAA;AAC5C,CAAC;AAED,SAAS,kBAAkB,CACzB,KAAmB,EACnB,UAA8B;IAE9B,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,EAAE,CAAA;IACX,CAAC;IACD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAA;IAC9B,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,MAAM,GAAG,GAAG,CAAC,IAAY,EAAE,EAAE;QAC3B,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;YACd,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;QACnB,CAAC;IACH,CAAC,CAAA;IACD,KAAK,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;QACrC,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;YAC1B,GAAG,CAAC,IAAI,CAAC,CAAA;QACX,CAAC;IACH,CAAC;IACD,KAAK,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;QACrC,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;YAClB,GAAG,CAAC,IAAI,CAAC,CAAA;QACX,CAAC;IACH,CAAC;IACD,OAAO,MAAM,CAAA;AACf,CAAC;AAED;;;;;;;;;GASG;AACH,SAAgB,cAAc,CAAC,GAA+B;IAC5D,IAAI,YAAY,IAAI,GAAG,EAAE,CAAC;QACxB,GAAG,GAAG,IAAA,6BAAoB,EAAC,GAAG,CAAC,CAAA;IACjC,CAAC;IACD,MAAM,MAAM,GAAG,IAAA,4BAAmB,EAAC,GAAG,CAAC,CAAA;IAEvC,MAAM,MAAM,GAAG,MAAM,CAAC,GAAG,CAAA;IAEzB,cAAc;IACd,MAAM,KAAK,GACT,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,IAAI,CAC1C,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,CAAA;IAEzE,wBAAwB;IACxB,oDAAoD;IACpD,0EAA0E;IAC1E,6FAA6F;IAC7F,MAAM,UAAU,GAAG,CACjB,MAAM,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,EAAE,OAAO,IAAI,EAAE,CAAC,CAAC,8BAAkB,CAAC,CAC3E,EAAE,WAAW,EAAE,CAAA;IAEhB,MAAM,cAAc,GAAG,iBAAiB,CAAC,MAAM,CAAC,eAAe,CAAC,EAAE,UAAU,CAAC,CAAA;IAC7E,MAAM,WAAW,GAAG,kBAAkB,CAAC,KAAK,EAAE,UAAU,CAAC,CAAA;IAEzD,8FAA8F;IAC9F,IAAI,UAAU,GAAG,EAAE,CAAA;IACnB,KAAK,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,KAAK,EAAE,CAAC;QACrC,IAAI,MAAM,KAAK,EAAE,IAAI,MAAM,KAAK,UAAU,EAAE,CAAC;YAC3C,UAAU,GAAG,IAAI,CAAA;YACjB,IAAI,MAAM,KAAK,EAAE,EAAE,CAAC;gBAClB,MAAK;YACP,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO;QACL,MAAM;QACN,UAAU;QACV,UAAU;QACV,WAAW;QACX,cAAc;KACf,CAAA;AACH,CAAC"}

package/dist/decorators/constants.d.ts

@@ -3,3 +3,5 @@ export declare const EVENT_HANDLER_METADATA = "__eventHandler__";
 export declare const EVENT_FACTORY_METADATA = "__eventFactory__";
 export declare const DATA_SYNC_HANDLER_METADATA = "__dataSyncHandler__";
 export declare const ROLE_METADATA = "__allowedRoles__";
+export declare const NOTIFICATION_TRANSPORT_METADATA = "__notificationTransport__";
+export declare const GROUP_ROLE_RESOLVER_METADATA = "__groupRoleResolver__";

package/dist/decorators/constants.js

@@ -1,9 +1,11 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.ROLE_METADATA = exports.DATA_SYNC_HANDLER_METADATA = exports.EVENT_FACTORY_METADATA = exports.EVENT_HANDLER_METADATA = exports.EVENT_METADATA = void 0;
+exports.GROUP_ROLE_RESOLVER_METADATA = exports.NOTIFICATION_TRANSPORT_METADATA = exports.ROLE_METADATA = exports.DATA_SYNC_HANDLER_METADATA = exports.EVENT_FACTORY_METADATA = exports.EVENT_HANDLER_METADATA = exports.EVENT_METADATA = void 0;
 exports.EVENT_METADATA = '__event__';
 exports.EVENT_HANDLER_METADATA = '__eventHandler__';
 exports.EVENT_FACTORY_METADATA = '__eventFactory__';
 exports.DATA_SYNC_HANDLER_METADATA = '__dataSyncHandler__';
 exports.ROLE_METADATA = '__allowedRoles__';
+exports.NOTIFICATION_TRANSPORT_METADATA = '__notificationTransport__';
+exports.GROUP_ROLE_RESOLVER_METADATA = '__groupRoleResolver__';
 //# sourceMappingURL=constants.js.map

package/dist/decorators/constants.js.map

@@ -1 +1 @@
-{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/decorators/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,cAAc,GAAG,WAAW,CAAA;AAC5B,QAAA,sBAAsB,GAAG,kBAAkB,CAAA;AAC3C,QAAA,sBAAsB,GAAG,kBAAkB,CAAA;AAC3C,QAAA,0BAA0B,GAAG,qBAAqB,CAAA;AAClD,QAAA,aAAa,GAAG,kBAAkB,CAAA"}
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../src/decorators/constants.ts"],"names":[],"mappings":";;;AAAa,QAAA,cAAc,GAAG,WAAW,CAAA;AAC5B,QAAA,sBAAsB,GAAG,kBAAkB,CAAA;AAC3C,QAAA,sBAAsB,GAAG,kBAAkB,CAAA;AAC3C,QAAA,0BAA0B,GAAG,qBAAqB,CAAA;AAClD,QAAA,aAAa,GAAG,kBAAkB,CAAA;AAClC,QAAA,+BAA+B,GAAG,2BAA2B,CAAA;AAC7D,QAAA,4BAA4B,GAAG,uBAAuB,CAAA"}

package/dist/decorators/group-role-resolver.decorator.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Marks a class as the application's `IGroupRoleResolver` (exactly one per app).
+ * Discovered at bootstrap and registered in `GroupRoleResolverRegistry`.
+ *
+ * Applies `@Injectable()` with default (singleton) scope. Do **not** add `@Injectable()`
+ * on the same class — a second decorator can override scope (e.g. `REQUEST`) and break
+ * bootstrap, which resolves one instance at application startup.
+ */
+export declare function GroupRoleResolver(): ClassDecorator;

package/dist/decorators/group-role-resolver.decorator.js

@@ -0,0 +1,17 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GroupRoleResolver = GroupRoleResolver;
+const common_1 = require("@nestjs/common");
+const constants_1 = require("./constants");
+/**
+ * Marks a class as the application's `IGroupRoleResolver` (exactly one per app).
+ * Discovered at bootstrap and registered in `GroupRoleResolverRegistry`.
+ *
+ * Applies `@Injectable()` with default (singleton) scope. Do **not** add `@Injectable()`
+ * on the same class — a second decorator can override scope (e.g. `REQUEST`) and break
+ * bootstrap, which resolves one instance at application startup.
+ */
+function GroupRoleResolver() {
+    return (0, common_1.applyDecorators)((0, common_1.SetMetadata)(constants_1.GROUP_ROLE_RESOLVER_METADATA, true), (0, common_1.Injectable)());
+}
+//# sourceMappingURL=group-role-resolver.decorator.js.map

package/dist/decorators/group-role-resolver.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"group-role-resolver.decorator.js","sourceRoot":"","sources":["../../src/decorators/group-role-resolver.decorator.ts"],"names":[],"mappings":";;AAYA,8CAKC;AAjBD,2CAAyE;AAEzE,2CAA0D;AAE1D;;;;;;;GAOG;AACH,SAAgB,iBAAiB;IAC/B,OAAO,IAAA,wBAAe,EACpB,IAAA,oBAAW,EAAC,wCAA4B,EAAE,IAAI,CAAC,EAC/C,IAAA,mBAAU,GAAE,CACK,CAAA;AACrB,CAAC"}

package/dist/decorators/index.d.ts

@@ -4,5 +4,7 @@ export * from './context.decorator';
 export * from './data-sync-handler.decorator';
 export * from './event-factory.decorator';
 export * from './event-handler.decorator';
+export * from './group-role-resolver.decorator';
+export * from './notification-transport.decorator';
 export * from './roles.decorator';
 export * from './swagger-response.decorator';

package/dist/decorators/index.js

@@ -20,6 +20,8 @@ __exportStar(require("./context.decorator"), exports);
 __exportStar(require("./data-sync-handler.decorator"), exports);
 __exportStar(require("./event-factory.decorator"), exports);
 __exportStar(require("./event-handler.decorator"), exports);
+__exportStar(require("./group-role-resolver.decorator"), exports);
+__exportStar(require("./notification-transport.decorator"), exports);
 __exportStar(require("./roles.decorator"), exports);
 __exportStar(require("./swagger-response.decorator"), exports);
 //# sourceMappingURL=index.js.map

package/dist/decorators/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/decorators/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,mDAAgC;AAChC,8CAA2B;AAC3B,sDAAmC;AACnC,gEAA6C;AAC7C,4DAAyC;AACzC,4DAAyC;AACzC,oDAAiC;AACjC,+DAA4C"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/decorators/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,mDAAgC;AAChC,8CAA2B;AAC3B,sDAAmC;AACnC,gEAA6C;AAC7C,4DAAyC;AACzC,4DAAyC;AACzC,kEAA+C;AAC/C,qEAAkD;AAClD,oDAAiC;AACjC,+DAA4C"}

package/dist/decorators/notification-transport.decorator.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Decorator to register a class as a Notification Transport.
+ * Automatically marks the class as an @Injectable() provider.
+ * @param name The unique identifier for this transport (e.g., 'pusher', 'appsync-event')
+ */
+export declare function NotificationTransport(name: string): ClassDecorator;

package/dist/decorators/notification-transport.decorator.js

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NotificationTransport = NotificationTransport;
+const common_1 = require("@nestjs/common");
+const constants_1 = require("./constants");
+/**
+ * Decorator to register a class as a Notification Transport.
+ * Automatically marks the class as an @Injectable() provider.
+ * @param name The unique identifier for this transport (e.g., 'pusher', 'appsync-event')
+ */
+function NotificationTransport(name) {
+    return (0, common_1.applyDecorators)((0, common_1.SetMetadata)(constants_1.NOTIFICATION_TRANSPORT_METADATA, name), (0, common_1.Injectable)());
+}
+//# sourceMappingURL=notification-transport.decorator.js.map

package/dist/decorators/notification-transport.decorator.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"notification-transport.decorator.js","sourceRoot":"","sources":["../../src/decorators/notification-transport.decorator.ts"],"names":[],"mappings":";;AASA,sDAKC;AAdD,2CAAyE;AAEzE,2CAA6D;AAE7D;;;;GAIG;AACH,SAAgB,qBAAqB,CAAC,IAAY;IAChD,OAAO,IAAA,wBAAe,EACpB,IAAA,oBAAW,EAAC,2CAA+B,EAAE,IAAI,CAAC,EAClD,IAAA,mBAAU,GAAE,CACK,CAAA;AACrB,CAAC"}

package/dist/env.validation.d.ts

@@ -1,4 +1,5 @@
 import { ClassConstructor } from 'class-transformer';
+export { BUILTIN_NOTIFICATION_TRANSPORT_ENV, parseNotificationTransports, validateBuiltinNotificationTransportEnv, } from './notification-env.validation';
 export declare enum Environment {
     Local = "local",
     Development = "dev",
@@ -22,7 +23,25 @@ export declare class EnvironmentVariables {
     SFN_COMMAND_ARN: string;
     SNS_ENDPOINT: string;
     SNS_REGION: string;
+    /**
+     * Comma-separated list of active notification transport names.
+     * Supported built-in values: 'appsync-graphql' | 'appsync-event'
+     * Defaults to 'appsync-graphql' when not set.
+     *
+     * Examples:
+     *   NOTIFICATION_TRANSPORTS=appsync-graphql
+     *   NOTIFICATION_TRANSPORTS=appsync-event
+     *   NOTIFICATION_TRANSPORTS=appsync-graphql,appsync-event
+     */
+    NOTIFICATION_TRANSPORTS: string;
     APPSYNC_ENDPOINT: string;
+    APPSYNC_EVENTS_ENDPOINT: string;
+    /**
+     * Channel namespace name — must match the pre-created namespace in the
+     * AppSync Event API (segment 1 of every channel path).
+     * Defaults to 'default'.
+     */
+    APPSYNC_EVENTS_NAMESPACE: string;
     SES_ENDPOINT: string;
     SES_REGION: string;
     SES_FROM_EMAIL: string;

package/dist/env.validation.js

@@ -9,10 +9,15 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.EnvironmentVariables = exports.Environment = void 0;
+exports.EnvironmentVariables = exports.Environment = exports.validateBuiltinNotificationTransportEnv = exports.parseNotificationTransports = exports.BUILTIN_NOTIFICATION_TRANSPORT_ENV = void 0;
 exports.getValidateConfig = getValidateConfig;
 const class_transformer_1 = require("class-transformer");
 const class_validator_1 = require("class-validator");
+const notification_env_validation_1 = require("./notification-env.validation");
+var notification_env_validation_2 = require("./notification-env.validation");
+Object.defineProperty(exports, "BUILTIN_NOTIFICATION_TRANSPORT_ENV", { enumerable: true, get: function () { return notification_env_validation_2.BUILTIN_NOTIFICATION_TRANSPORT_ENV; } });
+Object.defineProperty(exports, "parseNotificationTransports", { enumerable: true, get: function () { return notification_env_validation_2.parseNotificationTransports; } });
+Object.defineProperty(exports, "validateBuiltinNotificationTransportEnv", { enumerable: true, get: function () { return notification_env_validation_2.validateBuiltinNotificationTransportEnv; } });
 var Environment;
 (function (Environment) {
     Environment["Local"] = "local";
@@ -96,11 +101,26 @@ __decorate([
     (0, class_validator_1.IsOptional)(),
     __metadata("design:type", String)
 ], EnvironmentVariables.prototype, "SNS_REGION", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsOptional)(),
+    __metadata("design:type", String)
+], EnvironmentVariables.prototype, "NOTIFICATION_TRANSPORTS", void 0);
 __decorate([
     (0, class_validator_1.IsString)(),
     (0, class_validator_1.IsOptional)(),
     __metadata("design:type", String)
 ], EnvironmentVariables.prototype, "APPSYNC_ENDPOINT", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsOptional)(),
+    __metadata("design:type", String)
+], EnvironmentVariables.prototype, "APPSYNC_EVENTS_ENDPOINT", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsOptional)(),
+    __metadata("design:type", String)
+], EnvironmentVariables.prototype, "APPSYNC_EVENTS_NAMESPACE", void 0);
 __decorate([
     (0, class_validator_1.IsString)(),
     (0, class_validator_1.IsOptional)(),
@@ -136,6 +156,7 @@ function getValidateConfig(cls) {
         if (errors.length > 0) {
             throw new Error(errors.toString());
         }
+        (0, notification_env_validation_1.validateBuiltinNotificationTransportEnv)(validatedConfig);
         return validatedConfig;
     };
 }

package/dist/env.validation.js.map

@@ -1 +1 @@
-{"version":3,"file":"env.validation.js","sourceRoot":"","sources":["../src/env.validation.ts"],"names":[],"mappings":";;;;;;;;;;;;AAyFA,8CAoBC;AA7GD,yDAAqE;AACrE,qDAQwB;AAExB,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,kCAAmB,CAAA;IACnB,kCAAmB,CAAA;IACnB,8BAAe,CAAA;AACjB,CAAC,EALW,WAAW,2BAAX,WAAW,QAKtB;AAED,MAAa,oBAAoB;CAqEhC;AArED,oDAqEC;AAnEC;IADC,IAAA,wBAAM,EAAC,WAAW,CAAC;;sDACC;AAErB;IADC,IAAA,0BAAQ,GAAE;;sDACK;AAIhB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;sDACG;AAGhB;IADC,IAAA,2BAAS,GAAE;;mEACkB;AAG9B;IADC,IAAA,0BAAQ,GAAE;;uDACM;AAIjB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;+DACY;AAGzB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;6DACY;AAEvB;IADC,IAAA,4BAAU,GAAE;;kEACe;AAG5B;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;yDACM;AAGnB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;uDACI;AAEjB;IADC,IAAA,0BAAQ,GAAE;;4DACW;AAItB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;0DACO;AAGpB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;wDACK;AAElB;IADC,IAAA,0BAAQ,GAAE;;6DACY;AAIvB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;0DACO;AAGpB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;wDACK;AAIlB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;8DACW;AAIxB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;0DACO;AAGpB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;wDACK;AAElB;IADC,IAAA,0BAAQ,GAAE;;4DACW;AAItB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;qEACkB;AAI/B;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;qEACkB;AAGjC,SAAgB,iBAAiB,CAC/B,GAAyB;IAEzB,OAAO,SAAS,QAAQ,CAAC,MAA+B;QACtD,MAAM,eAAe,GAAG,IAAA,mCAAe,EACrC,GAAG,IAAI,oBAAoB,EAC3B,MAAM,EACN;YACE,wBAAwB,EAAE,IAAI;SAC/B,CACF,CAAA;QACD,MAAM,MAAM,GAAG,IAAA,8BAAY,EAAC,eAAe,EAAE;YAC3C,qBAAqB,EAAE,KAAK;SAC7B,CAAC,CAAA;QAEF,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAA;QACpC,CAAC;QACD,OAAO,eAAe,CAAA;IACxB,CAAC,CAAA;AACH,CAAC"}
+{"version":3,"file":"env.validation.js","sourceRoot":"","sources":["../src/env.validation.ts"],"names":[],"mappings":";;;;;;;;;;;;AAgIA,8CAyBC;AAzJD,yDAAqE;AACrE,qDAQwB;AAExB,+EAAuF;AAEvF,6EAIsC;AAHpC,iJAAA,kCAAkC,OAAA;AAClC,0IAAA,2BAA2B,OAAA;AAC3B,sJAAA,uCAAuC,OAAA;AAGzC,IAAY,WAKX;AALD,WAAY,WAAW;IACrB,8BAAe,CAAA;IACf,kCAAmB,CAAA;IACnB,kCAAmB,CAAA;IACnB,8BAAe,CAAA;AACjB,CAAC,EALW,WAAW,2BAAX,WAAW,QAKtB;AAED,MAAa,oBAAoB;CAoGhC;AApGD,oDAoGC;AAlGC;IADC,IAAA,wBAAM,EAAC,WAAW,CAAC;;sDACC;AAErB;IADC,IAAA,0BAAQ,GAAE;;sDACK;AAIhB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;sDACG;AAGhB;IADC,IAAA,2BAAS,GAAE;;mEACkB;AAG9B;IADC,IAAA,0BAAQ,GAAE;;uDACM;AAIjB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;+DACY;AAGzB;IAFC,IAAA,4BAAU,GAAE;IACZ,IAAA,0BAAQ,GAAE;;6DACY;AAEvB;IADC,IAAA,4BAAU,GAAE;;kEACe;AAG5B;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;yDACM;AAGnB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;uDACI;AAEjB;IADC,IAAA,0BAAQ,GAAE;;4DACW;AAItB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;0DACO;AAGpB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;wDACK;AAElB;IADC,IAAA,0BAAQ,GAAE;;6DACY;AAIvB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;0DACO;AAGpB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;wDACK;AAclB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;qEACkB;AAK/B;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;8DACW;AAKxB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;qEACkB;AAS/B;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;sEACmB;AAMhC;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;0DACO;AAGpB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;wDACK;AAElB;IADC,IAAA,0BAAQ,GAAE;;4DACW;AAItB;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;qEACkB;AAI/B;IAFC,IAAA,0BAAQ,GAAE;IACV,IAAA,4BAAU,GAAE;;qEACkB;AAGjC,SAAgB,iBAAiB,CAC/B,GAAyB;IAEzB,OAAO,SAAS,QAAQ,CAAC,MAA+B;QACtD,MAAM,eAAe,GAAG,IAAA,mCAAe,EACrC,GAAG,IAAI,oBAAoB,EAC3B,MAAM,EACN;YACE,wBAAwB,EAAE,IAAI;SAC/B,CACF,CAAA;QACD,MAAM,MAAM,GAAG,IAAA,8BAAY,EAAC,eAAe,EAAE;YAC3C,qBAAqB,EAAE,KAAK;SAC7B,CAAC,CAAA;QAEF,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAA;QACpC,CAAC;QAED,IAAA,qEAAuC,EACrC,eAAqD,CACtD,CAAA;QAED,OAAO,eAAe,CAAA;IACxB,CAAC,CAAA;AACH,CAAC"}

package/dist/guard/roles.guard.d.ts

@@ -1,10 +1,12 @@
 import { CanActivate, ExecutionContext, Logger } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
+import { GroupRoleResolverRegistry } from '../auth/group-role-resolver.registry';
 import { UserContext } from '../context';
 export declare class RolesGuard implements CanActivate {
     protected reflector: Reflector;
+    protected registry?: GroupRoleResolverRegistry;
     protected readonly logger: Logger;
-    constructor(reflector: Reflector);
+    constructor(reflector: Reflector, registry?: GroupRoleResolverRegistry);
     canActivate(context: ExecutionContext): Promise<boolean>;
     /**
      * Verify tenant access.
@@ -59,6 +61,14 @@ export declare class RolesGuard implements CanActivate {
      * This is a helper method that can be used by subclasses.
      */
     protected getAuthorizerClaims(context: ExecutionContext): import("../context").JwtClaims;
+    protected hasAnyRole(requiredRoles: string[], userRoles: string[]): boolean;
+    protected resolveGroupRoles(context: ExecutionContext, groupIds: string[]): Promise<string[]>;
     protected verifyRole(context: ExecutionContext): Promise<boolean>;
+    /**
+     * Returns the primary direct role string from JWT context.
+     *
+     * @deprecated Not invoked by `verifyRole`. For custom authorization, override
+     * `verifyRole`, `resolveGroupRoles`, or `canOverrideTenant` instead.
+     */
     protected getUserRole(context: ExecutionContext): Promise<string>;
 }